System architecture permitting verified and unverified programs to execute safely on one processor

ABSTRACT

A system architecture uses at least two processors (2, 3), which jointly control a process and constantly compare their data with each other. A program complex which has been checked with respect to the possible errors, as well as a non-checked program complex, runs on one of the two processors (2). In order to rule out interference in the checked program complex by the non-checked one, the peripheral hardware (12) which interact with the checked program complex are provided with inhibit inputs (16), and the tested program complex, via the inhibit inputs (16), blocks the peripheral hardware (12) which are reserved for it before it gives up command to the non-checked program complex.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The operation of machines is being automated to an increasing extent,specifically also that of machines which, because of the large number ofindependent axes, have a significant control system complexity. In orderto rule out hazards for humans and machines as far as possible, thesecontrol systems have to be safe to a very high degree, at least withrespect to those control instructions whose erroneous actuation can havecatastrophic consequences for the humans or the machines.

In the past, one has relied essentially on relay technology in thiscase, under the assumption that relays and contactors are comparativelysafe control means. However, even in the case of this technology,redundancy and a type of test programs had to be provided, by means ofwhich the relays have been reciprocally monitored or checked withrespect to their functioning. The outlay on relays, even forcomparatively simple control systems of, for example, eccentric-shaftpresses, was enormous from the point of view of the space requirement.More complex safe control systems, which are able to detect errors and,when the error is detected, to stop the installation on the safe side,can virtually not be managed at all in relay technology because of thespace requirement.

For this reason, a change was made to constructing the control systemwith electronic components instead of electromechanical components,although there was an awareness that electronic components are moresensitive to external influences, under certain circumstances, and morecomplicated errors can occur. In order to manage these difficulties to acertain extent, the control systems were designed with multiplechannels, the channels monitoring one another mutually.

2. Description of the Related Art

With automation progressing still further, the transition tomicroprocessor-controlled installations was necessary, which furtheradds a further grade of errors, namely software errors.

The implementation of control systems with the aid of microprocessorsand programs only makes sense, however, when it is simultaneously madepossible for the user to expand the control systems and to take into thecontrol systems further machines or machine movements which, undercertain circumstances, are also not relevant to safety. In this case,this program part controlling functions which are not necessarily safemust in no way influence that program part which is supervising safefunctions. Otherwise, it would be possible for grave disturbances toarise, the causes of which are virtually not to be found, since undercertain circumstances they are dependent on the time correlation ofspecific input signals.

In addition, it forms part of the prior art to allow a plurality ofprograms to run on one processor, nested in time, as is described byZilker in the book "Praxis des Multitasking" Multitasking in practice!,Franzis' Verlag, Munich, 1987, pages 11 to 14. To this end, theindividual programs which alternate one after another are written insuch a way that after a predetermined time, generally controlled by aninterrupt, they freely give back the processor, for example to a systemcore, which then starts a program which is similar with respect to itsprocessor behavior.

It is furthermore known, via so-called inhibit inputs, to blockcomponents or groups of components in a computer control system, inorder to prevent these components taking over items of information whichare offered to them, for example via a bus line, and are intrinsicallyintended for other components. One example for such a circuit isdescribed by Williams in "Trouble-shooting on Microprocessor basedSystems", Pergamon Press, 1984, pages 9 to 12.

Furthermore, US-A-4 484 270 discloses a central control unit which isprovided for use with a large number of data processing systems. Each ofthese data processing systems can be subdivided into further units, eachof which in turn itself has the property of a data processing system.All these units access common peripheral devices via an interfacesubsystem.

OBJECTS AND SUMMARY OF THE INVENTION

In order to remove individual units or devices from availability, thatis to say to decouple them electrically and in terms of informationtechnology, the individual interface circuits may be optionally blocked.

Based on this, the object of the invention is to provide a systemarchitecture which permits programs which have been checked for safetyand programs which have not been checked for safety to run on oneprocessor, without there being the risk that the non-checked program caninfluence the running of the tested program in an undesired way or caninterfere with it.

According to the invention, this object is achieved by the systemarchitecture having the features of claim 1.

For reasons of electrical complexity and the outlay on components, it ispractical to allow two different program complexes to run in one and thesame processor, there always having to be monitoring as to how the twoprogram complexes interact with each other. By means of the use ofperipheral devices which are equipped with inhibit inputs, it can beensured that the second program complex is not able to output to theperipheral means any commands of which the first program complex has noknowledge. If, for example, the first program complex is a safe,verified program complex, then, before it gives up the processor orcomputer core to the second program complex, it switches the peripheralmeans which are assigned to it and to be commanded only by it into astate in which they do not accept any commands at their inputs andoutputs. Read access to the registers of these peripheral means can inthis case remain continuously admissible. If, following the blocking ofthese peripheral means, the second program complex obtains the processoror computer core, it is able to run there essentially autonomously. Ifas a result of programming errors or other errors in the data the secondprogram complex attempts to make write access to the peripheral means ofthe first complex in a non-conformal way, the blocked peripheral meanswill ignore these inputs provided to them and not execute them.

The only error which can still occur would be that the second programcomplex withdraws the inhibit signal, whereupon the relevant peripheralmeans which belong to the first program complex would erroneously takenotice of the commands from the second program complex.

However, as soon as the second program complex releases the processor,either freely because it has arrived at an appropriate program point, orforcibly because of an interrupt coming from the outside, the firstprogram complex obtains knowledge about this hostile behavior of thesecond program complex, by interrogating the state of the inhibit line.If in so doing it detects manipulations on the inhibit line, it has thepossibility of stopping the entire system to which the systemarchitecture belongs in an orderly fashion.

Of course, the new system architecture is inter-linked with furthersafeguarding means in order to make the safety as high as possible. Tothis extent, the system architecture described is only a detail from anoverall system to be viewed as safe, whose safety is ensured byreciprocal interrogation and checking of adjacent channels and theirdata in the known manner.

Depending on the application, it may be that the first peripheral meansare reserved exclusively for the first program complex, or that amongthe first peripheral means there is at least one to which it ispermissible to have write and/or read access from both programcomplexes.

Depending on how the two program complexes are intended to relate toeach other, it may be expedient to have a storage area via which the twoprogram complexes communicate with each other, since they only have theprocessor one after another, that is to say consequently can also notoperate simultaneously. For this reason they need a common "mailbox",via which they can exchange messages or data.

This store, serving for communication between the program complexes, ispreferably accommodated in the second storage means, since by this meansit is necessarily ensured that the data and commands of the firstprogram complex, which are located in the first storage means, cannot bechanged by erroneous behavior of the second program complex.

A particularly safe system is obtained if the first storage means arereserved exclusively for the first program complex. The same can inprinciple exist for the second program complex as well, so that afurther storage area is provided as a communication area for the programcomplexes.

If specific errors can be detected by other measures, it is possible forthe two storage means to be accommodated in hardware terms in one andthe same store and to be separated from one another only via addresses.If, on the other hand, account also has to be taken of errors in theaddressing of the store, or other errors in the stores are to be feared,it is advantageous if stores which are separated in terms of hardwareare used for the first and the second storage means, that is to say thefirst and the second storage means are accommodated in separate storagechips.

As a rule, the first program complex has the higher priority, that is tosay, even in the case of non-conformal behavior of the second programcomplex, it must obtain the processor back within a predefined time, inorder to be able to execute its control function. Under certaincircumstances, this may not be the case, if the second program complexhangs in an endless loop and no longer reaches that program point atwhich it freely gives back the processor. In order to exclude sucherrors, the processor is preferably provided with an interruptcontroller to which a timer is connected. As a result, the processor canforcibly remove the second program complex, in order that the firstprogram complex once more comes into the possession of the processor.

The safety of the overall system may be increased if there exists inparallel with the first processor at least one further processor inwhich a program related to the first program complex runs, so that boththe processors or program complexes can continually compare their dataand computational results, in order to be able to stop the controlledinstallation in a practical, non-hazardous manner in the event of adifference in the results.

For example, the program complex running on the second processor canexhibit, from the point of view of the peripheral means assigned to it,the same behavior as the first program complex from the point of view ofits peripheral means, but while the two program codes are configureddifferently. This different configuration of the program codes isnecessarily achieved if the first and the second processor aredifferent, for example in terms of register length or of commandsavailable.

Finally, the further processor can be used for the purpose of checkingwhether, while the first program complex did not have the processor, thesecond program complex has changed the data at the peripheral means inan inadmissible manner following a change of the signals on the inhibitinputs. Following the return of the first program complex, the latter isable to read the data from the peripheral means and to compare it withthe data which the third program complex has obtained from itsperipheral means. As soon as a difference occurs there, the system isonce more able to stop the controlled machine.

In addition, developments of the invention form the subject matter ofsubclaims. Furthermore, it can readily be seen that any desiredcombinations of the subclaims are possible. The structure of theremaining system environment in this case plays no part, or nosignificant part, in the new system architecture.

BRIEF DESCRIPTION OF THE DRAWINGS

An exemplary embodiment of the subject matter of the invention isillustrated in the drawing, in which:

FIG. 1 shows a block diagram of the new system architecture and

FIG. 2 shows, in very diagrammatic form, the time behavior of the twoprogram complexes which are running on the first processor.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Shown in a block diagram in FIG. 1 is a new system architecture 1 for aprocess control system (the controlled process itself is not shown andmay be a machine tool, a chemical process or the like). This systemarchitecture 1 has a first processor 2 and a second processor 3, whichare connected to each other via communication lines 4. Connected to theprocessor 2, likewise via communication lines 6 and 7, are two stores 5aand 5b which are separate from each other. These two stores 5a and 5bare implemented in hardware terms in storage modules which arephysically separated from each other.

At least the first processor 2 has an interrupt controller having anappropriately assigned input 8, to which a clock or a timer 9 isconnected.

Depending on the processor architecture chosen, the timer 9 may also bea constituent part of the processor 2 itself.

Two groups 12 and 13 of peripheral means are connected to the firstprocessor 2 via a bus system or corresponding communication lines 11.

Peripheral means should be understood in this case as those hardwaredevices as are used in the case of process or machine control systemsfor controlling the process. In this case, a difference is drawn betweensuch peripheral means which merely report items of information from theprocess which is to be controlled to the control system, and also thoseperipheral means which convert commands from the control system intostate changes in the process, for example by actuating relays, solenoidvalves, electromechanical interlocks and the like.

Shown as an example for a peripheral means which merely transmits itemsof information to the control system is a peripheral means 12a which,for example, transmits temperature or position information to thecontrol system. The part which is framed by the block is intended inthis case to symbolize the overall necessary hardware which is requiredin order to convert the physical signal into the electrical variablewhich are compatible with the interface, as it is formed by thecommunication lines 11 and the corresponding input connection of thefirst processor 2. The access to the peripheral means 12a, thisfundamentally being a read access, does not mean, however, that writeaccesses which bring about state changes within the peripheral means 12aare also possible. A second peripheral means 12b is intended tosymbolize all those peripheral means which converts items of informationor commands supplied by the first processor 2 via the communicationlines 11 into a physical variable. Via the interface means 12b, directintervention is therefore made into the process which is running and tobe controlled, for example by actuating an electromagnetic valve 14which is indicated in diagrammatic form. Other electromechanicalconverters, such as direct-current or alternating-current motors,heating devices, ignition devices and the like may likewise be aconstituent part of the relevant peripheral means 12b.

The broken line 15 which is drawn between the two peripheral means 12aand 12b is intended to indicate that a much larger number of peripheralmeans may be present, and is generally in fact present, than only thetwo peripheral means 12a and 12b.

In addition to the communication lines 11, the two peripheral means 12aand 12b are in each case provided with an inhibit input 16a and 16b,respectively, which is connected to a common inhibit line 17, whichconnects the inhibit inputs 16a and 16b to a corresponding I/O port 18of the first processor 2.

The second group of peripheral means is composed in a similar way to thefirst group 12, that is to say it also comprises peripheral means whichsupply items of information to the first processor 2, and alsoperipheral means which convert commands of the first processor 2 intocorresponding physical or electrical variables. These peripheral means13a to 13b of the second group 13 are different on the output side, inthe direction of the process to be controlled, from the peripheral means12a to 12b.

The second processor 3 is used to increase the redundancy, for whichreason it differs in terms of hardware from the first processor 2, thatis to say it has, for example, a different command set and/or adifferent register length. Furthermore, it is implemented in a dedicatedchip or even arranged on a dedicated printed circuit board. The secondprocessor 3 is connected via communication lines 19 to a store 20assigned to it, and via further communication lines 22 to a dedicatedset of peripheral means 23 which, from the point of view of the processto be controlled, have the same function as the peripheral means 12a to12b of the first group 12, and which if appropriate, to the extent thatthe execution of commands is concerned, are logically combined on theoutput side by an AND operation toward the process, in order that statechanges in the process or the machine may only be carried out if the twoprocessors 2 and 3 give the same output commands via the relevantperipheral means 12 and 23, respectively.

With the new system architecture 1 it is possible to allow two differentprogram complexes to run, one program complex being a verified andsafety-checked program complex, whereas the other second program complexis a program complex on which less high safety requirements are placed.The safe program complex has a counterpart in the processor 3 and isimplemented there with a corresponding program, which is storedexclusively in the store 21 and whose data is likewise stored only inthe store 21, to the extent that they do not come from the peripheralmeans 23 or are not kept there.

The program complex which has been verified and is relevant for thesafety of the controlled process, referred to below as the first programcomplex, runs in the first processor 2, as well as a second programcomplex, which is not decisive for the safety of the controlled process.The first program complex is implemented by a program or a set ofprograms which is stored in the store 4. The second program complex,likewise a program or a set of programs, is located in the store 5.

Because it has been checked for safety, the first program complex isauthorized and provided for addressing the peripheral means of thesecond group 12 and outputting via said peripheral means commands whichintervene actively in the controlled process or the machine and performstate changes there. An example of such a peripheral means is theperipheral means 12b indicated as an example.

In addition, the first program complex also makes access to theperipheral means 12, which transmit information from the process to theprogram complex; for example via the peripheral means 12a.

For the further description, let it be initially first assumed that thesecond program complex interacts exclusively with the peripheral meansof the second group 13, that is to say neither obtains data from thefirst group 12 nor makes write access to these peripheral means of thefirst group 12. This assumption applies to an error-free design for thesecond program complex and under the condition that the error-freedesign has also been used in an error-free manner in the correspondingprograms.

For the further functional and sequence description, let it be furtherassumed that the initialization phase for the program complexes hasalready run through, and the system is in normal operation. Under theseconditions, the first and the second program complex periodicallyalternate in the first processor 2. The behavior is observed at a timeat which, as specified in the upper bar with the designation "Prog. I",the first program complex is active, that is to say is receiving datafrom the process to be controlled and, if necessary, emittingappropriate commands to the process. At the same time, during this phasethe first program complex continuously compares its measured andcalculated data with the corresponding data which the program complexrunning on the second processor 3 obtains from its peripherals orcalculates from the data obtained. As long as this comparison showsidentity, the system continues to operate. However, if the twoprocessors 2 and 3 determine that there are deviations, the entireprocess is immediately stopped in accordance with previously definedroutines.

If this is not the case, that is to say the data comparison between thetwo processors 2 and 3 does not allow any error to be detected, thefirst program complex comes, within a maximum time limit, to a point atwhich it no longer needs the processor 2. When this point is reached,firstly the inhibit inputs 16a and 16b of the peripheral means of thefirst group 12 have a blocking signal applied to them by the firstprogram complex via the appropriate output 18. As a result, theperipheral means of the first group 12 change over into a state in whichthey ignore any write signals, possibly arriving via the communicationlines 11, which would change their state. A read access, in the sensethat data is interrogated from the peripheral means or the associatedinterface cards via the communication lines 11, still remains possible,however.

After the first program complex has sent this inhibit signal to itsassociated peripheral means 12, it releases the first processor 2. Therelease of the first processor 2 by the first program complex thenresults in the second program complex, which is stored in the store 5,obtaining the first processor 2 and thus receiving the possibility ofoperating the peripheral means 13 associated to the second programcomplex. On the assumption that the second program complex operates inan error-free manner, then it does not make any write access, that is tosay state-changing access, to the peripheral means 12, which arereserved for the first program complex. If, because of a programmingerror or any other error, it does indeed do this or attempt this, thewrite access has no effect, since the peripheral means 12 are blockedvia the inhibit inputs 16a and 16b against write accesses.

Before a predetermined time has expired, the second program complexreaches a program point at which it freely gives up the first processor2. The first processor 2 can then once more start the first programcomplex. This first program complex firstly checks whether theperipheral means 12 still have the inhibit signal. The inhibit signal isthen cleared, in order that the first program complex can once morecommunicate normally with its peripheral means 12. The next step carriedout is a data comparison between the first program complex of the firstprocessor 2 with the program complex running on the second processor 3and, in the event that this comparison has not shown any differences,the first program complex proceeds normally on the first processor 2.

On the other hand, if during the reinitialization of the first programcomplex, the latter should establish that the inhibit signal is nolonger present, the first program complex assumes that the secondprogram complex has not behaved in a conformal manner and has attemptedin an inadmissible way to output control commands via the correspondingperipheral means 12. Since this is a hazardous error situation, thecontrolled process is then immediately stopped.

A further error in the second program complex may be that it clears theinhibit signal and then sets it once more in order in the meantime to beable to make write access to the peripheral means 12. Such erroneousbehavior is determined by comparing the data from the first programcomplex with the data which is held by the program complex on the secondprocessor 3. It is thus ensured, with very high safety, that the secondprogram complex, which is not subject to any safety testing, does notinterfere with the first program complex, which has been checked forsafety, because of design or other errors. Nevertheless, the two programcomplexes could run on one and the same processor and if appropriateeven share those peripheral means via which data are transmitted only inthe direction of the relevant processor. The user who is setting up thesecond program complex can save himself complicated error considerationsand error handling routines if he accommodates all the command sequenceswhich are relevant to safety in the first program complex, and he thenneeds to put complicated error consideration in place only for thisprogram complex. Subsequent changes in the second program complex arereadily possible, which significantly simplifies the programming of thenew system architecture. In particular, it is sufficient if it is alwaysonly the hardware, including the first program complex, which is testedand accepted by the supervising authority. Without this division, theuser would be forced to have to have a new check performed by thesupervising authority in the case of every small change, even to commandsequences not relevant to safety.

The first and the second program complex alternate continuously on thefirst processor 2 in the manner just described. In so doing, inaccordance with a time-slicing method, they obtain the first processorand, assuming freedom from errors, give it up freely once more, alsowithin the time slice. If, however, one of the two program complexesgets into an endless loop, the timer 9 expires before the return of theprocessor 2, said timer then producing at the interrupt input 8 aninterrupt which causes the processor to change over into an alarmroutine which aborts the program complex running at that time and,depending on whether the error has been produced in the safety-relevantpart or in the non-safety-relevant part, either merely outputs an errormessage or stops the adjacent system.

Finally, it is possible to allow the two program complexes tocommunicate with each other via a common storage area 25, for example ifthe non-safe second program complex needs data which the first, safeprogram complex has calculated. In order to rule out endangering thefirst program complex, for this reason the communication area is placedin the store 5b, in which the second program complex is located andwhere it also keeps its data. Erroneous write accesses into this storagearea 25 serving for the communication are likewise not able to impairthe verified program complex.

A system architecture uses at least two processors which jointly controla process and continuously compare their data with each other. A programcomplex which has been checked with respect to the possible errors, aswell as a non-checked program complex, run on one of the two processors.In order to rule out interference in the checked program complex by thenon-checked one, the peripheral means which interact with the checkedprogram complex are provided with inhibit inputs, and the tested programcomplex, via the inhibit inputs, blocks the peripheral means which arereserved for it before it gives command to the non-checked programcomplex.

We claim:
 1. A system architecturehaving a first processor, having firststorage means assigned to the first processor, having first peripheralmeans which are assigned to the first processor and have inputs/outputsand inhibit inputs connected to the first processor said inhibit inputsbeing used to block the first peripheral means from receivinginformation from the inputs when an inhibit signal has been transmittedto the inhibit inputs, having a first program complex which runs on thefirst processor,which is verified with respect to freedom from errors,which interacts at least predominantly with the first storage means ofthe first processor, and operates in such a way that, when it is runningon the first processor, when defined conditions are reached, the firstprogram complex emits an inhibit signal to the peripheral means assignedto the first program complex and releases the first processor, andwithdraws or clears the inhibit signal as soon as a the first programcomplex obtains the first processor back, having second storage meansassigned to the first processor, having second peripheral means whichare assigned to the first processor and have inputs/outputs connected tothe first processor, having a second program complex which runs on thefirst processor, the active running of the second program complex beingnested in time with the active running of the first program complex,onwhich lower requirements with respect to freedom from errors are placedthan on the first program complex, which interacts at leastpredominantly with the second storage means of the first processor,given error-free running then makes only read access, if at all, to theinputs/outputs of the peripheral means assigned to the first programcomplex, and when defined conditions are reached, releases the firstprocessor.
 2. The system architecture as claimed in claim 1, whereinthere is among the first peripheral means at least one which is reservedfor the first program complex.
 3. The system architecture as claimed inclaim 1, wherein there is among the first peripheral means at least oneto which it is permissible to have write and/or read access both fromthe first program complex and from the second program complex.
 4. Thesystem architecture as claimed in claim 1, wherein there is a storagearea via which the first and second program complexes communicate witheach other.
 5. The system architecture as claimed in claim 4, whereinthe storage area via which the first and the second program complexcommunicate with each other is located in the first and/or the secondstorage means or in only one of the two storage means.
 6. The systemarchitecture as claimed in claim 1, wherein the first storage means arereserved for the first program complex.
 7. The system architecture asclaimed in claim 1, wherein the first and the second storage means arerealized in hardware terms in a common store, and wherein a first groupof storage addresses forms the first storage means and a second group ofaddresses forms the second storage means.
 8. The system architecture asclaimed in claim 1, wherein the first and the second storage means arerealized in hardware terms in separate stores.
 9. The systemarchitecture as claimed in claim 1, wherein the first program complex,when the first processor is obtained back, checks whether the inhibitsignal is still present or has not been withdrawn in the meantime,before clearing or withdrawing said signal.
 10. The system architectureas claimed in claim 1, wherein the first program complex is a programcomplex which has a safety function.
 11. The system architecture asclaimed in claim 1, wherein the first processor has an interruptcontroller to which a timer is connected, and wherein a condition whichleads to the first program complex obtaining the first processor back isan interrupt triggered by the timer.
 12. The system architecture asclaimed in claim 1, wherein the condition for the release of the firstprocessor by the relevant program complex is an appropriate programinstruction in the relevant program complex.
 13. The system architectureas claimed in claim 1, wherein the commands which form the first programcomplex and/or data which is assigned exclusively to the first programcomplex are stored in the first storage means.
 14. The systemarchitecture as claimed in claim 1, wherein the commands which form thesecond program complex and/or data which is assigned exclusively to thesecond program complex are stored in the second storage means.
 15. Thesystem architecture as claimed in claim 1, further comprisinga secondprocessor, third storage means assigned to the second processor, thirdperipheral means which are assigned to the second processor and haveinputs/outputs connected to the second processor, and a third programcomplex, running on the second processor, which interacts with the thirdstorage means and communicates with the third peripheral means.
 16. Thesystem architecture as claimed in claim 15, wherein the first and thesecond processor are different from each other.
 17. The systemarchitecture as claimed in claim 15, wherein the third program complexbehaves, from the point of view of the third peripheral means,predominantly or exactly as does the first program complex from thepoint of view of the peripheral means of the first program complex, tothe extent that the latter coincide in functional terms with the thirdperipheral means.
 18. The system architecture as claimed in claim 15,wherein the first and the third program complex, apart from any possiblecommunication with the second program complex, are intended to furnishthe same function.
 19. The system architecture as claimed in claim 15,wherein the first and the third program complex communicate with eachother at least from time to time.
 20. The system architecture as claimedin claim 15, wherein the communication comprises the comparison of datacalculated by each of the two program complexes, and of data which is orhas been supplied by the associated peripheral means.
 21. The systemarchitecture as claimed in claim 15, wherein there are still furtherprocessors and program complexes present.
 22. The system architecture asclaimed in claim 1, wherein the system architecture is implemented in amachine control system.